Finally, We Get Some Answers About How The Government Gets Data From Facebook, Google, Etc.

There has been an uproar over the past 36 hours after two news
organizations reported that nine of the country's biggest
technology companies are partnering with the government in a
massive spying program in which the FBI and National Security
Agency have been given "direct access" to the companies' "central
servers" and allowed to monitor any user at any time.

This direct access, the initial reports implied, allows the
government to follow the communications of any of the companies'
hundreds of millions of users in real time, with no legal
oversight.

One of the stories quoted a career intelligence officer as saying
that this surveillance program was so powerful that,
“They quite literally can watch your ideas
form as you type.”

The impression these stories created was that Google, Facebook,
Apple, Yahoo, Microsoft, and other companies had voluntarily
opened their servers to government spies and allowed the
intelligence agencies to do whatever they wanted.

The companies confirmed, as they have many times in the past,
that they provide specific information to government
investigators in response to specific requests — when they are
required to do so by law. But they emphatically denied that they
they had opened their servers to the government. Most of the
companies also said that they had never heard of the spying
program, PRISM, that they were supposedly partnered with.

Such is the general fear of privacy violations by the big tech
companies that, upon hearing these denials, many people accused
the companies of lying. Others parsed their denials, looking for
ways to square the carefully worded language with the assertions
in the news stories. Still others focused their skepticism on the
document upon which the assertion that the NSA had direct access
to the companies' servers was based, which struck many people as
misleading.

These details explain where the "direct access to servers"
assertion came from. And at the same time, the details vindicate
the tech companies' vehement denials.

Importantly, the details also make clear that the
government does NOT have the ability to snoop on any Facebook,
Google, etc. user in real time with no legal oversight.

To understand how the government and the tech companies are
actually working together, you first need to understand how any
basic data request works.

To wit:

The government requests a bunch of data from a company (telephone
company, Internet company, etc.). The company's lawyers review
the request, pushing back if they think it's unlawful or overly
broad. If/when the lawyers determine that the request is legal,
they decide how to give the data to the government.

This transfer of information can happen in one of three basic
ways:

1) Paper, which is manually delivered.

2) Electronic files like PDFs or spreadsheets,
which are sent electronically.

3) Electronic files that are stored on a server,
to which access is provided.

Importantly, all three of these methods of information transfer
are used in the civilian world, too. And in recent years, with
the rise of "cloud storage," the third method has become
convenient and popular. (Think Dropbox — the company that allows
you to save files to the cloud and give your friends access to
them.)

Even narrow requests for electronic communications (email,
instant messages, file transfers, etc.) tend to produce massive
amounts of data. So delivering this data electronically is vastly
more convenient than printing it out on paper — for both the
company fulfilling the request AND the government investigators.
And "delivering" it by storing it on a server and giving the
government access instead of sending the files via email or FTP
is even more convenient. (The data is going to live on a "server"
somewhere anyway. It doesn't really matter where the server is.)

According to Claire Cain Miller's article, what is going on
between the government and the technology companies is basically
discussions about how the companies will provide the specific
information the government requests.

Importantly, the transfer of this information appears to follow
the normal procedure:

The government requests specific information.

The companies' lawyers review the request.

The companies lawyers approve the information transfer.

The companies make the information available to the
government electronically.

According to Miller, in deciding how to facilitate the
fulfillment of these requests, some of the companies have had
discussions with the government about creating a storage server
that the government has access to — a "dropbox" of sorts.

Importantly, any information placed on this server would still be
reviewed by the companies' lawyers. And the information placed on
these servers is not, say, "all the information generated by all
Facebook users every day" (Facebook
has explicitly said this.) Rather, it is likely much narrower
requests for information about specific users, all of which have
to be legal under the Foreign Intelligence Surveillance Act
(FISA).

Given the nature of the communications that take place on
Facebook, Google, etc., it's easy to imagine that sometimes the
government will request real-time access to the activity streams
of specific users. This would be analogous to requesting a tap on
someone's phone line. And the companies have presumably had
discussions with the government about how best to provide this
information.

So that's what appears to be going on between the government and
the tech companies.

The companies are fulfilling their legal obligations to provide
data to the government in response to legal requests. They are
also discussing with the government how best to fulfill these
requests while also protecting the privacy of their users.

The companies are "cooperating" with the government, but only in
the sense that a person asked to do something by a police officer
is "cooperating" with the police officer.

What the companies are NOT doing is:

Giving the government direct access to their central servers
so the government can spy on any user at any time with no
oversight.

"Partnering" with the government in a global spying program.

Given the recent revelations about how much data the government
is collecting under its intelligence programs, it certainly makes
sense to discuss the whether current laws are striking the right
balance between privacy and security.

But that's a very different discussion than whether the big tech
companies have sold out billions of users by voluntarily
participating in a global spying program.